Netskope - Off-Hours High-Volume Web Activity
41 NK Off Hours High Volume Activity
Query
let _NetskopeEmpty = datatable(TimeGenerated:datetime, action_s:string, category_s:string, severity_s:string, malware_name_s:string, malware_type_s:string, threat_name_s:string, user_s:string, domain_s:string, dstip_s:string, srcip_s:string, bytes_uploaded_d:real, bytes_downloaded_d:real, app_s:string, url_s:string, dlp_rule_s:string, dlp_profile_s:string, activity_s:string, file_type_s:string, object_s:string)[];
union isfuzzy=true _NetskopeEmpty, NetskopeWebTx_CL
| where TimeGenerated > ago(1d)
| where isnotempty(user_s)
| where action_s !in ("block", "Block", "blocked", "Blocked")
| extend
HourOfDay = hourofday(TimeGenerated),
DayOfWeek = dayofweek(TimeGenerated)
| where (HourOfDay >= 20 or HourOfDay < 6)
or (DayOfWeek == 6d or DayOfWeek == 0d)
| summarize
RequestCount = count(),
TotalMBUploaded = round(sum(todouble(bytes_uploaded_d)) / 1048576, 2),
TotalMBDownload = round(sum(todouble(bytes_downloaded_d)) / 1048576, 2),
UniqueDomains = dcount(domain_s),
TopDomains = make_set(domain_s, 10),
TopApps = make_set(app_s, 10),
SourceIPs = make_set(srcip_s, 5),
FirstSeen = min(TimeGenerated),
LastSeen = max(TimeGenerated)
by user_s
| where TotalMBUploaded > 100 or TotalMBDownload > 500 or RequestCount > 5000
| order by TotalMBUploaded desc, RequestCount descExplanation
This query is designed to detect unusual high-volume web activity by users through Netskope during off-business hours, which are defined as weekends or between 8:00 PM and 6:00 AM local time. The goal is to identify potential data exfiltration attempts that might go unnoticed by security teams.
Here's a simple breakdown of what the query does:
-
Data Source: It uses data from the
NetskopeWebTransactionsconnector, specifically theNetskopeWebTx_CLdata type. -
Time Frame: It looks at data from the past day (24 hours).
-
Filtering:
- It excludes any web activity that was blocked.
- It focuses on activity during off-hours (either late at night or on weekends).
-
Analysis:
- It calculates the number of requests, total megabytes uploaded and downloaded, and counts unique domains accessed by each user.
- It identifies the top domains and applications accessed, as well as the source IPs involved.
-
Thresholds for Alerts:
- An alert is triggered if a user uploads more than 100 MB, downloads more than 500 MB, or makes more than 5000 requests during off-hours.
-
Output:
- The results are sorted by the amount of data uploaded and the number of requests.
- Alerts are generated with details about the user, the volume of data transferred, and the number of requests made.
-
Incident Management:
- If an alert is triggered, an incident is created.
- Incidents are grouped by user accounts to manage related alerts together.
This query helps security teams identify potential security threats by flagging unusual data transfer activities during times when such activities are less likely to be legitimate.
Details

David Alonso
Released: April 16, 2026
Tables
Keywords
Operators
Severity
MediumTactics
Frequency: PT1H
Period: P1D